215: S&P500 Composition vs CAPE, Amazon Feet, Training Exponentials, COVID Beneficiaries, Log4J Vulnerability, Tor Attacks, and a Self-Balancing Cube
"It’s not because something keeps the same name that it remains the same thing."
Happiness doesn't lead to gratitude. Gratitude leads to happiness.
—David Steindl-Rast, via A.J. Jacobs
🥃 I was talking to Fiducia on a Twitter space a few days ago, and the topic of whisky came up.
I have a kind of ad hoc whisky-tasting club with some friends, and there’s a neat ‘coordination’ trick that has made it better:
We made a shared doc where we keep track of every bottle we own, and those we want to buy next.
The idea is that when we get together, we get to try more kinds (which is a big part of the fun). It’s kind of like a shared-custody distributed scotch library.
This way we avoid having 6 people that each own the same 3 bottles. If we each have 3 different ones with no overlap, well, I trust you can do 6 x 3 and known it’s > than 3.
Another tip while I’m at it: Get some Glencairn glasses (they’re on Amazon).
You don’t realize how much difference the glass makes until you’ve had them for a while, and then go drink your favourite scotch somewhere else it in a big tumbler, and it tastes very different with a lot missing.
So much of taste comes from smell, having a glass with the right size of aperture and proper surface area makes a big difference.
40% ABV’s rate of evaporation is very different from wine or beer. I know it sounds like fussy snobby crap, but hey, it works, and if for a few bucks invested upfront, every scotch bottle tastes much better, it’s a bargain ¯\_(ツ)_/¯
🎥 🎬 I liked this Tweet by @mmay3r:
You’re an extra in hundreds of stories, a supporting actor in half a dozen and the main character in one.
Better make sure the one is really good, then!
🛀 🌡 📝 Here’s a random idea, and I’m not sure what it is or what it would do if implemented. I guess it has a bit to do with testing how well-calibrated you are and revealing blind spots…
Imagine if writers had a way to self-asses how satisfied they are with every piece of content they create, at whatever atomic level makes more sense for their work. So for me, it may be for each sub-head in this newsletter.
Say I write about XYZ. When I’m done, I could have a little pulldown menu next to that section where I could rank what I think of it out of 10. If I think this is some of my best writing, I may rank it a 9, if it’s just ok, I may rank it a 5-6, etc.
Readers could do the same thing on their side.
Each vote is secret, and readers wouldn’t see what the author’s rankings are.
But at the end, the system would show where the biggest mismatches are between readers and writer (“you though this was good, but everybody thought it was crap… this thing you threw together in five minutes and almost deleted was a huge hit, everybody loved it”).
It would be all about making surprise hits more visible, because without feedback you may never notice, and recalibrating over time to better “see” quality.
💚 🥃 Let’s make a deal. Today, won’t do the pitch about becoming a paid supporter, and in return, you’ll considering becoming a paid supporter (and when we get to 5%, I’ll do an AMA podcast — we’re at 4.67% right now):
A Word from our Legendary Sponsor: 🏰 Greenhaven Road Capital 🏰
Some context: Back in edition #159, I wrote as a joke that I’d love to review Parmigiano-Reggiano (aka real parmesan). I just love the stuff, and was probably hungry at the time, so it seemed like the ultimate gig.
Dreams *do* come true — I was contacted by a reader and supporter (💚 🥃) at Greenhaven Road Capital (check out their investor letters) who wanted to sponsor my parmesan adventure.
After recruiting my wife to the project, here we are with round #3:
For this final installment of the deathmatch between king Reggiano 👑 and a new contender, we went for a bit of a curveball.
Rather than go with another Italian cheese that is considered similar to the Parmigiano, I got a recommendation from the nice-lady-at-the-cheese-shop for an aged raw milk Gouda from a small island in the Netherlands!
On the photo above, the traditional parmesan is on the left, and on the right is the Lindenhoff gouda (“Gouda, like cheddar, is a cheese without a designation or territorial protection. It was originally named for the Dutch town of Gouda, famous since the 17th century for its wealthy cheese market.”).
My wife & I gave it a taste, going back and forth with the parmesan… Verdict?
It's definitely a bold taste, but not over-powering. It has some of those crystals that you can feel kind of crunch away when you bite into it, but the texture is softer than Parmesan.
It goes into a slightly more pungent direction (is that correct terminology?), but it's not super stinky or anything. Just a few notes that aren't in parmesan, at least to my nose.
The big twist here is that my wife says she likes the Lindenhoff better than the Parmiggiani-Reggiano! She likes the texture of the parmesan better, but the taste of the Lindenhoff wins the day for her. Wow, our first upset!
As for me, I still prefer the Reggiano, but I gotta say, the Lindenhoff was a nice surprise and came closest to beating it. I’m going to make a note to buy it again… Life’s too short not to enjoy good cheese, at least once in a while.
Thanks again to Greenhaven Road Capital for making this crazy cheese review happen! 🧀
Investing & Business
Changes in S&P500 Composition vs CAPE
Disclaimer: I’m a macro tourist. I don’t invest in indexes or try to predict big sea changes in interest rates or relative valuations between factors and countries and all that…
But I liked this thread by Jake about how the massive change in the composition of the index has affected the oft-cited CAPE ratio (Cyclically Adjusted PE Ratio, aka Shiller ratio):
The top 10 holdings of the S&P 500 from ten years ago, which directly feeds into the CAPE to project forward returns of an index that only has two of these holdings still in the top 10 (and those two now have an 8% higher weight).
Another way to show this... the current top ten is > 30% of the index and was < 10% ten years ago. And I think it’s safe to assume the earnings of these companies is up 500-1000%+ over this period (too lazy to calc).
TLDR... if you think the CAPE makes US stocks expensive, you largely think FAAMG earnings will revert back to where they were 5+ years ago permanently
It’s a good specific application of a more general point:
It’s not because something keeps the same name that it remains the same thing.
You look at a chart of the Dow Jones or the S&P500 over decades, and it’s one line moving around. But underneath all that, a lot has changed.
The Dow was a very different animal in 1940 than in 1980 than in 2020.
Amazon Total Square Footage per Year
Amazon was already a big company in 2010, yet between 2019 and 2020, Amazon added many multiples of 2010-Amazon in square-footage.
Eyeballing it (and measuring pixels in Pixelmator Pro…), it looks like between 2019 and 2020, Amazon added slightly more feet than *everything* it had in 2015 🤯 (that’s bonkers).
h/t Braden Dennis
Training for Exponentials
We assume that humans have bad intuition for exponentials, but I wonder if it’s just because we don’t get enough training data (given the natural world has few exponentials). Perhaps a training sim for exponentials, given to kids, could result in much better intuition.
It certainly *couldn’t hurt* to train for it, especially at a relatively young age.
Doesn’t mean that it’ll ever be entirely intuitive and “native” to our brains, but I’m sure we can learn to pattern-match and recognize these types of situations more often, and at least know to switch to system 2 thinking when we do.
I think I’ll figure out a way to play around with this with my oldest kid… 🤔
From ‘Amazing digital transformation, the future was pulled forward by 3-5 years!’ to ‘Yoink, nevermind!’
Mr. Market is excellent at confusing as many people as possible.
Within a few months, investors will swing between being worried about deflation and inflation, about the internet economy eating everything and being a huge bubble, etc.
Science & Technology
☠️ Log4J Vulnerability: One of the worst large-scale security flaws in a while… 😵
[On] 9, 2021, a very serious vulnerability in the popular Java-based logging package Log4j was disclosed. This vulnerability allows an attacker to execute code on a remote server; a so-called Remote Code Execution (RCE). Because of the widespread use of Java and Log4j this is likely one of the most serious vulnerabilities on the Internet since both Heartbleed and ShellShock.
Yikes.
Those of you who pay attention to these things, the mention of Hearbleed 💔 should send some chills down your spine..
ASF says Log4Shell receives the maximum severity rating, 10, on the Common Vulnerability Scoring System (CVSS) scale.
At this time there appears to be a lot of reconnaissance going on. Actors, good and bad, are scanning for vulnerable servers across the world. Eventually, some of that reconnaissance will turn into actual penetration of servers and companies. And, because logging is so deeply embedded in front end and back end systems, some of that won't become obvious for hours or days.
Another reminder that good security is essential, ever more-so in this increasingly digital world — without it, whatever else you have can be taken from you…
Tor Network Attacks 🔪🧅
One way to try to stay anonymous online is to send your traffic through the Tor network (tor is an acronym for “The Onion Router”, 🧅 because of the multiple layers — if I was them, I’d have made the acronym recursive, and made Tor stand for ‘Tor Onion Router’…).
If you’re not familiar, the general idea is that there are thousands of relay servers operating around the world, and when traffic is sent through this network, it bounces around between these nodes, with the routing data encrypted multiple times (like Russian dolls), and each node only can decrypt one of the layers, which only tells it where to send the data next, but not the original source or the ultimate destination, until an exit node is reached back to the regular internet.
Anyway, it’s a cool concept, used both by good and bad actors (people in authoritarian countries, activists, but also dark web creepers and criminals), but that’s not what I want to talk about today.
I was reading this article about an attack on the Tor network from unknown source that has been going on for years:
Since at least 2017, a mysterious threat actor has run thousands of malicious servers in entry, middle, and exit positions of the Tor network in what a security researcher has described as an attempt to deanonymize Tor users.
Tracked as KAX17, the threat actor ran at its peak more than 900 malicious servers part of the Tor network, which typically tends to hover around a daily total of up to 9,000-10,000.
Some of these servers work as entry points (guards), others as middle relays, and others as exit points from the Tor network.
This reminds me of the idea of a 51% attack on the Bitcoin network (which, as the number of miners goes up, becomes increasingly expensive and impractical). If you control a large enough part of the network, chances are that some of the traffic going through it will hit multiple of your nodes and you then have a lot more information about the source and destination.
Is this the work of an intelligence agency? A criminal hacker group? ¯\_(ツ)_/¯
Grouping these servers under the KAX17 umbrella, Nusenu says this threat actor has constantly added servers with no contact details to the Tor network in industrial quantities, operating servers in the realm of hundreds at any given point.
The actor’s servers are typically located in data centers spread all over the world and are typically configured as entry and middle points primarily, although KAX17 also operates a small number of exit points.
Nusenu said this is strange as most threat actors operating malicious Tor relays tend to focus on running exit points, which allows them to modify the user’s traffic. For example, a threat actor that Nusenu has been tracking as BTCMITM20 ran thousands of malicious Tor exit nodes in order to replace Bitcoin wallet addresses inside web traffic and hijack user payments.
This last part is interesting…
In the same way that there’s now a bunch of computer viruses that will try to steal crypto-wallet keys, malware that will hijack CPU cycles to do crypto-mining, and phishing emails that attempt to get users to breech their wallet security is various ways, even when taking the extra step of going on Tor, there’s the possibility of a malicious exit node trying to swap wallet addresses on the fly.
As for the strange Tor nodes? The Tor security team has been removing hundreds of them — especially exit nodes — but this being an anonymous network, it’s difficult to keep track and be sure who’s malicious and who isn’t.
It’s a wild world out there.
‘Will Covid-19 become milder over time?’
Will Covid-19 become milder over time? The answer to that question is most likely yes, but it may not have anything to do with the virus evolving to induce milder disease.
Scientists now know that SARS-CoV-2 can, at least to some degree, reinfect people who were previously infected or vaccinated. The combination of prior infections and vaccinations are building immunity in the population. This immunity isn’t perfect because it can’t block infection completely, but it does dampen the disease the virus can induce by shortening the time of infection, reducing the amount of virus that is produced and therefore reducing the symptoms and disease. [...]
In December 2019, SARS-CoV-2 entered a human population that had no immunity to it. In December 2021, the Omicron variant is entering a human population that has a large amount of immunity to SARS-CoV-2. That immunity in and of itself will lessen the disease severity of the variant. But in people with limited or compromised immunity, such as the unvaccinated, the elderly or the immune compromised, SARS-CoV-2 may still be able to cause severe disease because they don’t have protection conferred by pre-existing immunity. Covid-19 becoming a milder disease is not a decision the virus will make; it’s a decision that all of us can make if we take advantage of the vaccines that can control spread and reduce the burden of this disease. (Source)
The Arts & History
A Cube at the Intersection of Art & Engineering
h/t Massimo